From 5e0eb1f887e481a97cdf169fe9615ec3dea65d68 Mon Sep 17 00:00:00 2001 From: Massimiliano Culpo Date: Wed, 13 Apr 2022 13:10:00 +0200 Subject: CI: avoid issues with Ubuntu patched git by adding safe.directory (#30042) Ubuntu patched git v2.25.1 with a security fix that also introduced a breaking change, so v2.25.1 behaves like v2.35.2 with respect to the use cases in CVE-2022-24765 --- .github/workflows/bootstrap.yml | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index 5b3e237b0c..b5fee5f5aa 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -59,6 +59,14 @@ jobs: bzip2 curl file g++ gcc gfortran git gnupg2 gzip \ make patch unzip xz-utils python3 python3-dev tree \ cmake bison + - name: Work around CVE-2022-24765 + run: | + # Apparently Ubuntu patched git v2.25.1 with a security patch that introduces + # a breaking behavior. See: + # - https://github.blog/2022-04-12-git-security-vulnerability-announced/ + # - https://github.com/actions/checkout/issues/760 + # - http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog + git config --global --add safe.directory /__w/spack/spack - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # @v2 - name: Setup repo and non-root user run: | @@ -171,7 +179,15 @@ jobs: apt-get install -y \ bzip2 curl file g++ gcc patchelf gfortran git gzip \ make patch unzip xz-utils python3 python3-dev tree - - uses: actions/checkout@v2 + - name: Work around CVE-2022-24765 + run: | + # Apparently Ubuntu patched git v2.25.1 with a security patch that introduces + # a breaking behavior. See: + # - https://github.blog/2022-04-12-git-security-vulnerability-announced/ + # - https://github.com/actions/checkout/issues/760 + # - http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog + git config --global --add safe.directory /__w/spack/spack + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: Setup repo and non-root user run: | git --version @@ -200,7 +216,15 @@ jobs: bzip2 curl file g++ gcc patchelf gfortran git gzip \ make patch unzip xz-utils python3 python3-dev tree \ gawk - - uses: actions/checkout@v2 + - name: Work around CVE-2022-24765 + run: | + # Apparently Ubuntu patched git v2.25.1 with a security patch that introduces + # a breaking behavior. See: + # - https://github.blog/2022-04-12-git-security-vulnerability-announced/ + # - https://github.com/actions/checkout/issues/760 + # - http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog + git config --global --add safe.directory /__w/spack/spack + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: Setup repo and non-root user run: | git --version @@ -225,7 +249,7 @@ jobs: brew install tree # Remove GnuPG since we want to bootstrap it sudo rm -rf /usr/local/bin/gpg - - uses: actions/checkout@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: Bootstrap GnuPG run: | source share/spack/setup-env.sh @@ -241,7 +265,7 @@ jobs: brew install gawk tree # Remove GnuPG since we want to bootstrap it sudo rm -rf /usr/local/bin/gpg - - uses: actions/checkout@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: Bootstrap GnuPG run: | source share/spack/setup-env.sh -- cgit v1.2.3-70-g09d2